570 likes | 961 Vues
Chapter 3. Enumeration. Last modified 1-30-09. Definition. Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses Enumeration is more intrusive, using active connections and directed queries
E N D
Chapter 3 Enumeration Last modified 1-30-09
Definition • Scanning identifies live hosts and running services • Enumeration probes the identified services more fully for known weaknesses • Enumeration is more intrusive, using active connections and directed queries • Enumeration will usually be logged and noticed
Goals of Enumeration • User account names • to inform subsequent password-guessing attacks • Oft-misconfigured shared resources • for example, unsecured file shares • Older software versions with known security vulnerabilities • such as web servers with remote buffer overflows
Pen-Test Video • Link Ch 3a: Droop's Box: Simple Pen-test Using Nmap, Nikto, Bugtraq, Nslookup and Other Tools by IronGeek
Telnet in Vista and Windows 7 • First you need to install Telnet • In Control Panel, Programs and Features, Turn Windows Features on or off, check Telnet Client
Banner Grabbing • Connecting to remote applications and observing the output • Simple way, at a command prompt • telnet www.ccsf.edu 80 • On the next blank screen type in • GET / HTTP/1.1 • Press Enter twice
Making Characters Visible • In Windows XP and Vista, you can't see what you type in the Telnet session • Do this: • At a command prompt, type • telnet hills.ccsf.edu 80 • Press Enter. Press Ctrl+]. Then type • set localecho • Press Enter twice • Link Ch 3z11
Example Banners • www.ccsf.edu tells you too much • cnn.com is better
Netcat Banner Grabs • Get Netcat for Windows at links Ch 3d, 3d1, 3d2
Banner-Grabbing Countermeasures • Turn off unnecessary services • Disable the presentation the vendor and version in banners • Audit yourself regularly with port scans and raw netcat connects to active ports
Enumerating Common Network Services • FTP Enumeration, TCP 21 • Enumerating SMTP, TCP 25 • DNS Zone Transfers, TCP 53 • Enumerating TFTP, TCP/UDP 69 • Finger, TCP/UDP 79 • Enumerating HTTP, TCP 80
FTP Enumeration, TCP 21 • CCSF doesn't give away much information • FTP is becoming obsolete, see ftp.sun.com • FTP passwords are sent in the clear • Don't allow anonymous uploads • Turn it off, use secure FTP instead
Googling for FTP Servers • Search for • intitle:"Index of ftp://" • Here's an overly informative HTTP banner
FTP Banner • Here's the corresponding overly informative FTP banner
Enumerating SMTP, TCP 25 • SMTP can be enumerated with Telnet, using these commands • VRFY confirms names of valid users • EXPN reveals the actual delivery addresses of aliases and mailing lists
Antivirus Note • McAfee antivirus blocks telnets to port 25 • "Prevent mass mailing worms from sending mail"
SMTP Enumeration Countermeasures • Disable the EXPN and VRFY commands, or restrict them to authenticated users • Sendmail and Exchange both allow that in modern versions
DNS Zone Transfers, TCP 53 • Zone transfers dump the entire contents of a given domain's zone files • Restricted to authorized machines on most DNS servers now
Enumerating TFTP, TCP/UDP 69 • TFTP is inherently insecure • Runs in cleartext • No authentication at all • Anyone can grab any file • Used in routers and VoIP Telephones to update firmware
TFTP Enumeration Countermeasures • Wrap it to restrict access • Using a tool such as TCP Wrappers • TCP Wrappers is like a software firewall, only allowing certain clients to access a service • Links Ch 3e, 3f • Limit access to the /tftpboot directory • Make sure it's blocked at the border firewall
Finger, TCP/UDP 79 • Shows users on local or remote systems, if enabled • Useful for social engineering • Countermeasure: block remote access to finger
Enumerating HTTP, TCP 80 • Grab banners with netcat or telnet • Crawl Web sites with Sam Spade
HTTP Enumeration Countermeasures • Change the banner on your web servers • URLScan for IIS v 4 and later • Link Ch 3h
Microsoft RPC Endpoint Mapper (MSRPC), TCP 135 • Remote Procedure Call (RPC) endpoint mapper (or portmapper) service on TCP 135 • Querying this service can yield information about applications and services available on the target machine
epdump • Shows services bound to IP addresses • It takes some research to interpret the results • Link Ch 3n
rpcdump • On the Backtrack 2 CD • Start, Backtrack, Vulnerability Identification, All, RPCDump • Similar confusing results
MSRPC Enumeration Countermeasures • Block port 135 at the firewall, if you can • But some Microsoft Exchange configurations require access to the endpoint mapper • You can avoid that by using Virtual Private Networks, or • Outlook Web Access (OWA) which works over HTTPS
NetBIOS Name Service, UDP 137 • NetBIOS Name Service (NBNS) is Microsoft's name service, an alternative to DNS • What is Name Resolution? • Suppose you issue a command that refers to a computer by name, such as PING
Name Resolution • Windows needs to change a computer name to an IP address to send data packets • Windows uses two naming systems: • DNS (the preferred method) • NetBIOS Name Resolution (still used by all versions of Windows) • See link Ch 3v
Standard Name Resolution Methods • Charts from link Ch 3v
NET VIEW • NET VIEW can list the domains, or the computers in each domain
NBNS over TCP/IP • Normally NBNS only works on the local network segment • It is possible to route NBNS over TCP/IP, allowing enumeration from a remote system
Other Tools to Enumerate NBNS • NLTEST and NETDOM can find domain controllers • NETVIEWX finds specific services • NBTSTAT collects information from a single system • NBTSCAN scans a whole range of addresses, and dumps the whole NetBIOS name table • Link Ch 3w
Stopping NetBIOS Name Services Enumeration • All the preceding techniques operate over the NetBIOS Naming Service, UDP 137 • Block UDP 137 at the firewall, or restrict it to only certain hosts • To prevent user data from appearing in NetBIOS name table dumps, disable the Alerter and Messenger services on individual hosts • Blocking UDP 137 will disable NBNS name authentication, of course
NetBIOS Session, TCP 139 • These are the notorious Null Sessions • The Windows Server Message Block (SMB) protocol hands out a wealth of information freely • Null Sessions are turned off by default in Win XP and later versions, but open in Win 2000 and NT • They aren't available in Win 95, 98, or Me • Link Ch 3x, 3y, 3z00, 3z01
Information Available • Null sessions on Win 2000 and NT provide information about: • Shares • User accounts • Password policies
DumpSec • Free from link Ch 3z02 • Runs on Vista (and earlier Windows)
Registry Enumeration • The Registry can be viewed remotely • Requires Administrator privileges by default on Windows servers • You can't do it with null sessions • Gary McKinnon used remote registry access to hack into the Pentagon • Link Ch 3z03
user2sid/sid2user • These utilities can get user account names and SIDs remotely, even if the registry key RestrictAnonymous is set to 1 • They can find the Administrator's account name, even if it's renamed, by changing the last 3 numbers of another account's SID to 500 • Works against Win 2003, but not Win XP SP2 • See link Ch 3z04
All-in-One Null Session Enumeration Tools • Winfo • Newer tool: • NBTEnum 3.3 • Link Ch 3z15
SMB Null Session Countermeasures • Block TCP 139 and 445 at the router • Set the RestrictAnonymous registry key to 1 or 2 • HKLM\SYSTEM\CurrentControlSet\Control\LSA • Ensure the Registry Is Locked Down • http://support.microsoft.com/kb/153183 (link Ch 3z16)
SNMP, UDP 161 • Simple Network Management Protocol (SNMP) is intended for network management and monitoring • Administrators use SNMP to remotely manage routers and other network devices • But it has many security vulnerabilities • See links Ch 3z06, 3z07, 3z08
Community Strings • SNMP is not a very secure protocol. • It has a minimal security system called SNMP Community Strings • Community strings act like passwords • There are three kinds of SNMP Community strings: Read-Only, Read-Write, and Trap (Trap is rarely used) • But the community strings are often left at obvious defaults like "public" and "private"
Management Information Bases (MIBs) • The MIB contains a SNMP device's data in a tree-structured form, like the Windows Registry • Vendors add data to the MIB • Microsoft stores Windows user account names in the MIB • Image from link Ch 3z07
Data Available Via SNMP Enumeration • Running services • Share names • Share paths • Comments on shares • Usernames • Domain name
SNMP Enumeration Tools • snmputil from the Windows NT Resource Kit • snmpget or snmpwalk for Unix • IP Network Browser • Part of the Engineer's Toolset, link Ch 2d